Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
405
Views
0
Helpful
2
Replies

IPSEC peers (FP and ASA) send TCP RST to the endpoints

Micccc4
Level 1
Level 1

‎11-23-2022 07:12 AM - edited ‎11-23-2022 07:31 AM

Hi Everyone, 

we have an IPSEC tunnel between FP2110 and ASA firewall. 

Tunnel is stable and operational but every hour, at the same time, peers (firewalls) at both ends send TCP RST packet to the endpoints at their side that are having active session via IPSEC tunnel. That breaks the session..  

Has anyone experienced something similar? 

SA Lifetime in IPSEC setup is set to 8 hours at both ends and flow is allowed on ACLs at both firewalls.

Thanks in advance for looking at it

 

TCP RST from FP sent to endpoints at his location:

Micccc4_0-1669215941525.png

TCP RST from ASA sent to endpoints at his location:

Micccc4_1-1669215969308.png

 

 

 

0 Helpful
2 Replies 2

buffkata
Level 1
Level 1

‎11-23-2022 08:09 AM

It looks like the TCP session is reset by the client not by the VPN peer. Is your tunnel rebuild after the reset ? 

0 Helpful

Micccc4
Level 1
Level 1

‎11-23-2022 12:15 PM

Hi @buffkata - thanks for commenting. Well, this was my first thought as well - that is how it looks based on the SRC IP address. However, RST packet that is received by the end point at one side of the tunnel is not captured on the other, 'source' side. So, where is it coming from. and then I came across this video here:

(and tunnel itself is stable when this reset takes place)

https://www.youtube.com/watch?v=t5OJephyw8I

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card